UK Spies’ Mass Data Collection Laid Bare

Rights group Privacy International today published previously confidential documents which it claims highlight for the first time the sheer scale of bulk collection of sensitive personal data on UK citizens by the authorities.

The cache of documents was made available to the privacy group in preparation for its Investigatory Powers Tribunal case about “whether the acquisition, use, retention, disclosure, storage and deletion of Bulk Personal Datasets [BPDs] is in accordance with the law and necessary and proportionate.”

They reveal that bulk collection of data on innocent citizens goes way beyond internet and phone records.

Specifically, GCHQ, MI5 and MI6 are said to routinely obtain mass datasets from public and private organizations in the UK, giving them access to medical, financial, travel, commercial and many other records.

Privacy International claimed the authorities have been doing this in secret for 15 years, although the documents also describe the use of Section 94 of the pre-internet era Telecommunications Act 1984 to access data in bulk.

The rights group said intelligence agencies have been unable to provide details on exactly how many personal records have been extracted as part of BPD programs and dumped in classified databases.

However, it’s obvious that there are concerns around the safety of such data from hackers, and from abuse by insiders.

In fact, some of the documents detail “policies, procedures and safeguards” designed to prevent abuses. These effectively amount to the intelligence services telling agents not to search for people “of no security interest” in the databases.

Millie Graham Wood, legal officer at Privacy International, claimed the databases filled with these BPDs could be used to build detailed profiles of every UK citizen.

“The agencies themselves admit that the majority of data collected relates to individuals who are not a threat to national security or suspected of a crime. This highly sensitive information about us is vulnerable to attack from hackers, foreign governments, and criminals,” she added.

“The agencies have been doing this for 15 years in secret and are now quietly trying to put these powers on the statute book for the first time, in the Investigatory Powers Bill, which is currently being debated in parliament. These documents reveal a lack of openness and transparency with the public about these staggering powers and a failure to subject them to effective parliamentary scrutiny."

Although the government has released statements to the contrary, it’s far from clear that bulk collection of data really helps the intelligence services.

NSA whistleblower William Binney told the Joint Committee on the Draft Investigatory Powers Bill earlier this year that it is “99% useless” and overloads operatives with too much information, making it hard to focus on the important stuff.

It’s no coincidence that the 9/11 terrorists and those that committed the Paris terror attacks were known to the authorities before they struck.

Echoworx senior director, Jacob Ginsberg, argued that the UK authorities are effectively watching UK citizens as if they were criminals.

“This kind of cyber surveillance is no different to old school wire-tapping. However, a wiretap may only be approved by a court if evidence of reasonable suspicion can be found,” he added.

“The government should not be allowed to circumvent existing laws that have been put in place to protect law abiding citizens from potentially harmful intrusion. Having the power to sweep someone’s phone records, financial data, medical records and internet communications without a warrant during bulk data collection is morally wrong."

Privacy International might have a hard time convincing the public of the over-reaching of the security services, however. A poll from Broadband Genie this week claimed three-quarters of Brits hadn’t even heard of the Investigatory Powers Bill.

What’s Hot on Infosecurity Magazine?